How much security does Y-00 protocol provide us? 
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New quantum cryptography, often called Y-00 protocol, has much higher performance than the 
conventional quantum cryptographies. It seems that the conventional quantum cryptographic at- 
tacks are inefficient at Y-00 protocol as its security is based on the different grounds from that of the 
conventional ones. We have, then, tried to cryptoanalyze Y-00 protocol in the view of cryptographic 
communication system. As a result, it turns out that the security of Y-00 protocol is equivalent to 
that of classical stream cipher. 
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Quantum cryptography has appeared as a promising 
way to achieve security without depending on any com- 
putational complexity assumption. However, most of the 
proposed schemes up to date are based on single photon 
states (QCSPS) thus, presenting a well-known negative 
characteristic, namely, its bit rate is much slower than 
that of normal optical communication systems. 

Recently a quantum cryptography scheme which uses 
mesoscopic coherent states has been reported 0, S S ■ 
This scheme has much higher performance than conven- 
tional ones which are based on single photon states 0, 
E| ■ Because this scheme based on mesoscopic coher- 
ent states, often called "Y-00 protocol 8]," has an aver- 
age photon number of 100-1,000 photons per pulse, its 
bit rate is expected to be 100-1,000 times faster than 
that of QCSPS. In addition, the required technical level 
to realize the protocol is supposed to be quite the same 
as in conventional optical systems. Y-00 protocol would 
be, then, a sufficiently fast and easily realizable quantum 
cryptography scheme, if it had actually perfect security. 

In this paper, we show that the Y-00 protocol does 
not provide perfect security, even against the simplest 
of cryptographic attacks, ciphertext-only ones. A usual 
cryptographic system consists of two channels (Fig2J: an 
open channel for exchanging encrypted messages and a 
secure channel for key distribution. Quantum cryptog- 
raphy based protocols, including Y-00 protocol, provide 
a realization of the secure channel for key distribution. 
Let us underline that our attack targets are not only the 
secure channel, but also the open channel for messages. 

We also show that the security of Y-00 protocol is just 
equivalent to that of a classical stream cipher. In other 
words, we can safely say that Y-00 protocol has no per- 
fect security and that its security depends on just a com- 
mon computational complexity assumption, being then 
no better than currently used schemes. 




FIG. 1: Cryptographic communication system 

Y-00 protocol is a quantum key expansion (QKE) 
scheme. Both Alice and Bob must share a secret key 
K s in advance. Notice that, even conventional quantum 
cryptography can be regarded as quantum key expansion 
schemes, since a short key is needed for the authentica- 
tion of the classical channel. Y-00 protocol uses the se- 
cret key for quantum modulation and de-modulation in 
a quantum channel for expansion of the key. 

Y-00 protocol has, then, 2M non-orthogonal coherent 
states called "qumodes" : 

\ae i9k ). l 9 k = irk/M, (1) 

where a e C and k € {0, . . . , 2M - 1}, or 

|¥(0 fc )) = |acos0 fc /2) ff |asin0 fc /2)y, (2) 

in the polarization coding where the suffix "H" and "V" 
are horizontal and vertical polarization modes. We focus 
on the polarization coding hereafter. 

The 2M-states are divided into M-pairs: 
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where k £ {0, . . . , M — 1} and the pairs are orthogonal 
to each other. A specific pair, then, determines a specific 
polarization base. 

At first Alice and Bob generate a pseudo-random num- 
ber stream ki £ {0, . . . , M — 1} from the secret key K s 
in synchronized manner: 

PRNG:K a ^h, i£N, (5) 

where PRNG is a pseudo-random number generator and 
the number fcj determines the polarization base. Alice 
generates a number Tj, £ {0, 1} with a physical random 
number generator (PhRNG) and modulates the r% into a 
qumode in the fc^-base. Bob observes the qumode sent 
from Alice with the fc^-base and de-modulates from the 
qumode. The mechanism is called "M-ary level cipher- 
ing." 

Y-00 protocol has another important mechanism called 
"Ciphering Wheel." Ciphering Wheel is a rule for assign- 
ing bits and 1 of Ti to two qumodes on each base. Two 
closest qumodes in the neighboring bases are generally 
assigned opposite bit values. Thus one must distinguish 
a correct qumode to get a correct bit. However, because 
of the fundamental quantum fluctuation in any measure- 
ment by eavesdroppers, the discrimination of the qumode 
is impossible for eavesdroppers when M is sufficiently 
large, unless they know the information of ki- 

These circumstances can be easily understood with the 
so-called Poincare representation. The qumode is repre- 
sented by a point on the Poincare sphere and all qumodes 
are located on the equator including the z-axis and x-axis 
defined by the Stokes operators in Fig|3 

S z = i(a f a - tfb), and S x = -(a^b + tfa), (6) 

where a is an annihilation operator for the horizontal 
mode and b is an annihilation operator for the vertical 
mode. The qumode is, then, represented by the point 

(S z ,S x ) = ^\a\ 2 (cosd k ,sm9 k ), (7) 

and it has the following isotropic quantum fluctuation 

AS z = AS x = ±\a\. (8) 

A^-other qumodes are included in the fluctuation where 
N a = M/(n\a\) and no one can distinguish the correct 
qumode from the others. Therefore nobody except Alice 
and Bob draw out the correct bit whereas Bob 's decision 
has to be made only between two nearly orthogonal state 
in the same basis defined by a given ki Q. 

From the above argument, one can see that Alice and 
Bob can surely safely share the new random bits {r{\ 
whose length is longer than the original shared random 
common key K s . Alice and Bob seem to be able to realize 




FIG. 2: qumode in Poincare sphere at M = 16 



QKE by using the Y-00 protocol. However, a careful 
consideration tells us that this protocol doesn't help Alice 
and Bob to expand their key in a perfect secure way. 

Let us imagine that Eve classifies the bases into two 
classes: The one class C+ consists of bases which has the 
same bit- assignment as the ki = base and the other 
class C- consists of the rest of the bases. She can, then, 
define a mono-bit mapping C'W(-) from the base kf. 

CW:k^h = {\lll C c + _ • (9) 

Since Eve seizes the qumode and its base vaguely, she, 
then, selects an appropriate base which belongs to the 
class C+ from the candidates and gets a bit U from ob- 
servation under the selected base. Since the candidates 
are not always the same as the true bases, the bit U can- 
not always be equal to . However one will find that the 
following important relation holds: 

k=ri®ki- (10) 

Notice that the quantum error due to the miss choice 
of base is absorbed in the second term of the right side. 
Moreover, since the inner product of the true qumode 
|\&(0fc)) and the orthogonal qumode on the incorrect base 
k + Ak is given by 

\(y(6 k )\y(6 M+k+Ak ))\ 2 = e -2| Q | 2 (l+sin(.A fe /2M)) j (n) 

(the product is extremely small if the qumode is a meso- 
scopic state where the order of Afc is at most N a ), the 
error derived from M-ary ciphering mechanism is negli- 
gible. 

In addition, Eve can make her measurement unde- 
tectable by Alice and Bob, by resending a similar quan- 
tum state to Bob who is interested in only the discrimi- 
nation of the possible two states. In principle, Bob can 
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check if the state is really one of two possible state, if 
the quantum channel can be assumed free from noise. 
However, it is much harder to check it than only to dis- 
tinguish from each other. Moreover, it requires much 
higher technology than what is assumed in the original 
Y-00 protocol. Also, the assumption that the quantum 
channel is free from noise is a quite unrealistic one. 

Again, we would like to stress that the detection of 
Eve's measurement is impossible for Alice and Bob under 
the relevant assumptions assumed in the Y-00 protocol, 
paying serious attention to the philosophy of the origi- 
nal proposal, that is, an easily realizable protocol with 
conventional optical technologies. Also, note that signal 
amplification, which is considered as one of the mains 
advantages of the protocol, is impossible under the as- 
sumption that Eve's activities can be detected. 

There is a small technical problem that the classifica- 
tion is not globally well-defined because the base space 
is topologically homomorphic to the Mobius ring. The 
vertical polarization mode on the k = base is adjacent 
to the horizontal one on the k — M — 1 base, though the 
base space has cyclic structure of a module M. However 
one can solve this problem, by introducing the follow- 
ing "local" classification in the neighborhood of a given 
fc-base in FigEI 

1. Fix the most far base k cut = k + [M/2] mod M as 
the cut base if a certain k is given. 

2. Classify each bases from k = to k cut in both ad- 
ditive and subtractive directions. 

The local classification is well-defined in the neighbor- 
hood of k and unique on any k. It is no problem that the 
neighborhood of fc cu t is ill-defined because the qumodes 
on the fc-base and fc cut are orthogonal to each other, i.e. 
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FIG. 3: Local Classification on bases at M — 16 



Let us recall the important fact that, in the Y-00 pro- 
tocol, Eve can get ffTTTf) without being detected by Alice 
and Bob. First of all, one should notice that this situa- 
tion can be simulated in a classical way. 

Let us investigate the Y-00 protocol as a cryptographic 
communication system where one-time pad is used as en- 
cryption algorithm for messages in FigQ] 
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FIG. 4: Y-00 communication system 

Eve gets two clues to cryptanalysis: One clue is a ci- 
phcrtext a of the message: 



Cj — Pi © Ti j 



(13) 



where pi is a plaintext of the message which is legible 
to anybody and has often language characteristics. The 
other clue is an inaccurate qumode that Eve observes in 
the quantum channel. 

As Eve knows the two bit streams (|13|l and Ijl0|l in this 
way, she gets another bit stream 



C-i © li — Pi © ki- 



(14) 



The bit stream is nothing but a classical stream cipher 
where Cj © U is a ciphertext, ki is a key stream, and its 
generator algorithm is CW o PRNG(-). Therefore Y-00 
protocol has no perfect security and its security is based 
on computational complexity. 

The above discussion is independent of the encryption 
algorithm. In the case of a block cipher algorithm instead 
of one-time pad, we may observe (|1U|) in a block whose 
size is N 



R.j®K, 



J, 



(15) 



where © is bitwise XOR and Lj, Rj, and Kj are con- 
catenations of Its, 7"jS, and fcjS, for example, 

Lj = i(j_i)jv + l||i(J_l)JV+2ll ' ' ' \\Ijn- (16) 

The ciphertext is given by 

Cj = E Rj (Pj), and Pj = D Rj (Cj), (17) 

where Pj and Cj are block sequences instead of each bit 
streams and E(-), D(-) are encryption and decryption 
algorithm. We, then, get the following relation 



Pj = D Lj(Bkj (Cj), 



(18) 
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instead of the simple relation (|14|l . Brute- force attack on 
the freedom of K s is applicable to (|TH|) in the worst case 
that we have no clue to cryptoanalyze the encryption 
algorithm. Therefore its security is never beyond that of 
a scheme based on computational complexity. 

This attack is not applicable to QCSPS like BB84 be- 
cause it has the feature of eavesdropping detection. QC- 
SPS with non-separable carrier abandons the communi- 
cation itself as soon as eavesdropping is detected. 

It is interesting to analyze our results in comparison 
to the ones related to secret key agreement over classical 
noisy channels. It is known that certain noisy correlated 
data can provide finite secrecy capacity and perfect se- 
cure key agreement between Alice and Bob even when 
the correlation between Alice and Eve is less noisy than 
the correlation between Alice and Bob (if an authenti- 
cated noiseless public channel is provided) [^. Hoi Ull Il2| . 
Y-00 protocol would be, then, expected as a practical 
and efficient implementation of this noisy correlation us- 
ing quantum noise. The result (|10|> . however, tells us 
that the correlation implemented by Y-00 protocol is not 
a stochastic one but one which comes from a determin- 
istic bit-flip channel owing to the local classification and 
the appropriate base-selection. Therefore, Y-00 protocol 
does not provide "genuine" noisy correlations between 
Alice, Bob and Eve and, hence, does not satisfy the con- 
ditions specified in[l[ia[ll],[l|. 

We assume that qumodes are mesoscopic, \a\ 2 ^> 1 
in the above discussion. If \a\ 2 is sufficient small, quan- 
tum effects arc expected to be no longer negligible. In 
our attack, if the two qumodes on the most far base 
k cut are not efficiently orthogonal to the true qumodc: 
\a\ 2 < 1 + 1/a/2 from (JT2J) , the clue JTU|) is not cor- 
rect and the eavesdropping channel becomes a stochastic 
noisy channel. Y-00 protocol would, then, recover per- 
fect security if it used microscopic coherent states instead 
of mesoscopic ones, but its extremely high performance 
would be lost. 
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